UK Emergency Surveillance Law Criticized For Being Overly Broad, Vague And Draconian

0

Late last week it emerged that the UK government intended to railroad emergency surveillance legislation through Parliament just before the summer recess — meaning members of parliament would not be able to properly scrutinise the law.

The new Data Retention and Investigation Powers Bill (aka DRIP) is being ‘debated‘ in the House of Commons today — but a few days’ debate is a far cry from the lengthy scrutiny process usually afforded when the government tries to pass new legislation. Cue cries of ‘surveillance state stitch up’.

The government claims emergency legislation is necessary because a European Court of Justice (ECJ) ruling struck down European data retention powers back in April.

But that claim looks tenuous, to say the least, given the ECJ ruling took place three months ago — three months when the government could have been publicly debating what its response should be and drafting and debating new legislation.

Instead it’s done a deal with opposition MPs behind closed doors so that an ‘emergency’ bill will be passed without serious opposition — and without proper scrutiny. Bottom line: this is democracy at its most undemocratic.

(The hearing of the bill is also taking place on the same day the government announced a cabinet reshuffle — which is keeping much of the political press busy.)

The government has also sought to claim that DRIP does not extend data retention powers but merely shores up existing powers, after their legality was cast into doubt by the ECJ ruling.

Again that claim has increasingly looked like spin. For one thing the bill extends UK state interception powers to overseas communications providers, not just UK-based companies. It also grants, what one former lawyer described to TechCrunch as “draconian and swingeing powers” to the UK Home Secretary to set rules for data retention.

The UK Home Secretary Theresa May euphemistically described DRIP’s overseas extension as “legal clarity” in a statement to Parliament when the draft bill was published last week.

That suggests the UK government has perhaps had no problems getting overseas comms providers to co-operate with it in the past to hand over data — but, in the wake of the ECJ ruling invalidating the European directive, may have been facing problems with that ‘co-operation’ as companies feared they could be accused of acting illegally under European law.

Today an open letter signed by fifteen of Internet law academics has slammed the government’s claim for DRIP being ‘business as usual data retention legislation’ as “false” — arguing that the legislation does indeed extend state surveillance powers through a significant expansion of UK interception powers overseas.

“The legislation goes far beyond simply authorising data retention in the UK,” they write. “In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.”

The open letter follows in full at the end of this post.

Does DRIP constitute a significant expansion of UK state surveillance powers? Speaking to TechCrunch, John Salmon, senior partner at UK law firm Pinsent Masons said in his view it does not, but he also suggested the government is treading a fine line — with the risk of the legislation facing a challenge under European privacy or human rights law.

“There is still, I think, potential that the government could be challenged… What the European Court of Justice said is you’ve got to balance the right to privacy of the individual against the desire of government to detect crime. And that’s a careful and difficult balance which they felt the Data Retention Directive had got the wrong side of that balance,” said Salmon.

“I think the UK government is trying to get on the right side of that balance but one of the things that [the ECJ] talked about what this objective criteria. And what the [UK] government have put in [with DRIP] is very much up to the Secretary of State to make these [data retention] orders.

“What they haven’t said in that legislation is that the Secretary of State has to, for instance, be objective in deciding what they need to do. And secondly, the purposes for which our data are being retained again talks about crime, the detection of crime — whereas again the [European] Lord Justice talks about serious crime. The example he used was organised crime and terrorism, which is very different from any crime, clearly.”

DRIP does water down the prior European data retention directive retention period from up to two years, to up to one year. It also has a sunset clause, meaning it expires after two years — but there’s precious little past precedent for surveillance legislation being loosened over time. Quite the opposite.

On the expansion of interception powers to overseas companies, he said the government’s argument is that “it was always supposed to cover these people, and this is them just trying to close a loophole”.

“It’s effectively the same power to intercept, it’s just potentially across a wider group of people,” he said. “Whether [the expansion of powers to overseas comms providers] will succeed or not I don’t know — I guess we’ll find out when they try and enforce these.”

“It’s not actually extending the interception power itself — it’s just extending it to a wider group of people. Whether you call that an extension or not I don’t know,” he added. “It is potentially extending it to a wider group of people, which they say they were always trying to cover in the first place. But it depends on how you define all that.”

On the risk of a challenge to the legislation, Salmon points out that the government may well be calculating that the time it would take for any legal challenge to be brought against DRIP would take longer than the lifespan of the bill itself.

“I guess the government probably are thinking well ultimately if it goes to court, then it would potentially get another referral to the ECJ which, as you know, is not exactly a swift process,” he added. “They’re going to get another two years.”

But with question marks hanging over the current implementation of an invalid European directive, Salmon said, in his view, the government does need to be “pro-active” — so he supports the rush to legislate.

“I agree with the idea of having emergency legislation, my own question is whether they’ve got the right balance or not — and I don’t know the answer to that,” he added.

Also speaking to TechCrunch, Danvers Baillieu, formerly of Pinsent Mason and now COO of Privax (the maker of the HideMyAss.com VPN), said the most worrying aspect of DRIP is that it sets up an overly broad framework for the Home Secretary to set rules for the retention of data.

“It would be nice if this kind of legislation wasn’t done in this way. If the meat of it was in the main primary legislation rather than having powers for the Secretary of State to issue notice… Basically clause 1 [of DRIP] says the Secretary of State may issue a retention notice and it may require just about anything — including ‘the retention notice may make different provision for different purposes’, that’s what it says in the bill. So a retention notice can pretty much tell you to do anything — other than hold anything longer than 12 months.”

“We’ll see what differences there are [vs existing UK data retention legislation] when the Secretary of State uses her powers to bring in secondary legislation — so a statutory instrument or something — or gives direction to communication providers to retain data,” he added.

“It’s very broad and vague legislation that grants very broad and swingeing and draconian powers — potentially. Well it grants those draconian and swingeing powers and they could potentially be exercised in that way by the government if it chose to do so without any further legislation being required.”

On the interception point, Baillieu said DRIP certainly clarifies the situation for overseas comms providers that do have some presence in the UK — although those who do not may well be able to ignore the law.

“The obvious practical significance of this is it certainly clarifies beyond any doubt that companies like Microsoft, that operate Skype, or Google and Twitter or Facebook and all these other big companies, that are not UK companies, don’t have servers in the UK for actually storing data, but obviously have office in the UK, are obliged to comply with a RIPA [Regulation of Investigatory Powers Act] notice,” he said. “I don’t know, as a matter of course whether Google and Facebook were already complying or not.

“Now obviously the question is if a company doesn’t have a presence in the UK… what are they going to do about it? And in the same way that if we get a notice, here at HideMyAss.com, obliging us to hand over documents to let’s say the Chinese or frankly any foreign country we tell them to get stuffed. Because we’re not subject to their laws. So extraterritoriality is, in theory, a very nice thing to have but it’s of little power if you don’t have the policemen who can go and enforce it.”

Baillieu added that one downside of the legislation’s extraterritoriality requirement may therefore be to discourage some overseas companies from siting a European HQ in the UK. Although he added that such a requirement isn’t likely to be hugely offputting either. “I wouldn’t want to overstate it,” he added.

The open letter on DRIP signed by 15 UK Internet law academics follows below in full.